- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Is it possible to aggregate and search within ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to aggregate and search within aggregated results?
My app logs multiple lines per request and each line has a "request_id" key for identification. For each request, there is an optional log line that contains a "session_id" key. How do I search to show all the log lines of a particular request which includes the "session_id" key?
Example:
request_id=1, msg=A
request_id=1, msg=B
request_id=2, msg=C, session_id=1
request_id=2, msg=D
Wanted result:
request_id=2, msg=C, session_id=1
request_id=2, msg=D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval r=_raw
| fields - _time _raw
| makemv r delim="request_"
| mvexpand r
| rex field=r "id=(?<request_id>\d+)\,\s+msg=(?<msg>\w+)(\,\s+session_id=(?<session>\d+))?"
| rex field=r mode=sed "s/^id=/request_id=/g"
| search request_id=2
| fields r
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get some rows but they are empty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your text says session_id but your example says session=. adonio's answer assumed the example data was correct, as opposed to your written description.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello sohymg,
indicate in your search that you are looking for events with the session field
index = <yourIndex> sourcetype = <yourSourcetype> request_id=* msg=* session=* | table _time host request_id msg session
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this and there was no result. Just to clarify:
This is the entire dataset:
request_id=1, msg=A
request_id=1, msg=B
request_id=2, msg=C, session=1
request_id=2, msg=D
This is the result I need:
request_id=2, msg=C, session=1
request_id=2, msg=D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you replace the values for index and sourcetype to match yours?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry there was some typo. I got it to work but the result is not what i want
Returned result:
request_id=2, msg=C, session=1
This is the result I need:
request_id=2, msg=C, session=1
request_id=2, msg=D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so to be clear, what you would like to see is: if you have a value of 1 under the session field (session=1) then you want to see all events with request_id=2. is that correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes thats correct
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
